update1: I tried all of the suggestion (much appreciated btw) but the execution still isn't going through displaying "Updated 0 rows ". I have tried multiple ways of approaching this but nothing seems to work for me.
Here is the code I have at the moment:
if(isset($_POST['Done'])) {
$updateCD = "UPDATE users SET lgs=?, its=?, hbs=?, bios=?, pls=?, cts=? WHERE email=?";
$stmt = $con->prepare($updateCD);
$stmt->bind_param('sssssss', $_POST['lgs'], $_POST['its'], $_POST['hbs'], $_POST['bios'], $_POST['pls'], $_POST['cts'], $_GET['email']);
$stmt->execute();
if ($stmt->errno) {
echo "FAILURE!!! " . $stmt->error;
}
else {
echo "Updated {$stmt->affected_rows} rows";
$stmt->close();
}
}
I am wanting to increase the security of my code by replacing my basic sqli queries with prepared statements.
This UPDATE statement concerns updating the user's profile information in the database. Problem is, despite the models I followed, the update execution isn't getting through thus changing nothing in the database.
PHP code:
$email_login = mysqli_real_escape_string($con, $GET['email']);
$lg = mysqli_real_escape_string($con, $_POST['lgs']);
$it = mysqli_real_escape_string($con, $_POST['its']);
$hb = mysqli_real_escape_string($con, $_POST['hbs']);
$bio = mysqli_real_escape_string($con, $_POST['bios']);
$pl = mysqli_real_escape_string($con, $_POST['pls']);
$ct = mysqli_real_escape_string($con, $_POST['cts']);
if(isset($_POST['Done'])) {
$updateCD = "UPDATE users SET lgs=?, its=?, hbs=?, bios=?, pls=?, cts=? WHERE email=?";
$stmt = $con->prepare($updateCD);
$stmt->bind_param('sssssss', $lg, $it, $hb, $bio, $pl, $ct, $email_login);
$stmt->execute();
if ($stmt->errno) {
echo "FAILURE!!! " . $stmt->error;
}
else {
echo "Updated {$stmt->affected_rows} rows";
$stmt->close();
}
}
Note after closure: I understand why it may seem as if this question is similar to the other one, but by no means is it an exact duplicate. The referred question concerned updating a table in general whereas this question magnifies on using prepared statements to execute an update. I already know how to update a table without using prepared statements so I would like to improve my code syntax with a more reliable frameset. Although both questions are related, they have different scopes.
Your $email_login variable is empty; even if it's obtained via GET, you have to use $_GET, and not $GET.
As said in various comments, don't use mysqli_real_escape_string, since reliable escaping is done by MySQLi itself. Just pass in the $_POST variables directly as arguments for bind_param.
Some additional ideas:
PDO instead of MySQLi: mysqli or PDO - what are the pros and cons?, http://www.quora.com/As-a-PHP-beginner-should-I-learn-MySQLI-or-PDO-first